CVE-2017-8447Improper Access Control in X-pack Security

CWE-284Improper Access ControlCWE-269Improper Privilege Management3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 70.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Elastic X-pack SecurityElastic X-pack
Timeline
PublishedSep 29
Latest updateMay 13

Description

An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5elastic/elastic_x-pack_security5.3.0 to 5.5.2
NVDelastic/x-pack7 versions+6

🔴Vulnerability Details

2
GHSA
GHSA-gr96-2h6w-pf97: An error was found in the X-Pack Security 52022-05-13
CVEList
CVE-2017-8447: An error was found in the X-Pack Security 52017-09-28
CVE-2017-8447 — Improper Access Control in Elastic | cvebase